On 2017-03-27 23:37, Kurt Seifried wrote:
> The source container from V.3 of the JSON:
>
> "SOURCE": {
> "DATA_VERSION": "3.0",
> "DISCOVERED_BY": "string",
> "DISCOVERED_WITH": "string",
> "VERIFICATION": "string",
> "CNA_CHAIN": [
> "string initial CNA",
> "string parent CNA",
> "string root CNA"
> ]
> }
>
> So I think the problem for me at least is that "source" is an array
> with
> a variety of source information things, not just a single thing per
> se.
Here, source covers discoverer/finder and CNAs involved in the
assignment.
> SOURCE: The organization or individual who reports the details of
> a
> vulnerability and is requesting a CVE ID. The SOURCE would report
> the details and request the CVE ID though a CNA, or in some cases
> may be the CNA themselves if found internally. Also, this would
> match up with the discoverer of the vulnerability. ____
Here, "source" ~= "requester."
The source I'm advocating is a required reference to at least one,
original/canonical public URL. This assumes public CVE entries are for
publicly disclosed vulnerabilities and we're OK requiring a public
reference URL.
- Art